Expert: Stryker cyberattack could lead FDA to reassess cybersecurity requirements
An Iran-linked hacker group called Handala Team has claimed responsibility for an attack that disrupted Michigan-based medical device manufacturer Stryker’s Microsoft systems this week. While the company has said the damage from the incident is contained, a cybersecurity expert says it could lead the US Food and Drug Administration (FDA) to reassess its cybersecurity requirements.On 11 March, Stryker issued a statement that it is “experiencing a global network disruption to our Microsoft environment as a result of a cyberattack.” The company stated that it has no indications of ransomware or malware associated with the attack and believes it is contained. It also noted that it has business continuity measures in place to ensure it can continue supporting its customers.
Handala said it attacked the company in retaliation for the US and Israel’s bombing of Iran, in particular, the alleged bombing of an elementary school that killed more than 170 people, mostly children, The Wall Street Journal reported. Since the attack, news reports have revealed that the hacktivists exploited a vulnerability in the Microsoft Intune cloud-based management system to reset Stryker’s laptops, cell phones, and other devices to factory settings, leaving employees unable to access their work devices. Initial reports also estimate that 200,000 systems, servers, and devices were compromised, leading to the loss of 50 terabytes of data.
Michelle Jump, MedSec CEO and a former Stryker employee, said the attack on the company was the main topic of discussion at the HIMSS Global Healthcare Conference in Las Vegas, which she was attending when she spoke to Focus.
"I'm here in the hallways of HIMSS, and everybody's talking about it," said Jump. "It's shocking. It's not that Stryker is not doing the right thing.
“They have their security policies, they have the things in place, but the fact that they got targeted anyways, it does feel shocking, and it has really been quite the talking point here around HIMSS," she added.
Jump noted that Stryker has a history of participating in cybersecurity discussions and praised her former employer for its quick response to the attack.
“It's clear that Stryker has a quite mature incident response program in the speed and clarity with which they communicated and responded to this,” said Jump. “Honestly, kudos to them.”
Jump noted that the first step a company needs to take when attacked is to conduct an initial assessment to determine how far the attack has spread and to try to contain the damage. She emphasized that immediately after the attack, Stryker likely mobilized staff specifically trained for such attacks.
“People have been prepped for this,” said Jump. “Most companies of Stryker’s size will have incident response programs where everyone knows their job, they're on call, they're on a list, and everyone goes into action.
“There's a lot happening at once, because cyber events can travel very quickly,” she added. “Response time and scope of response are critical for these types of issues, as opposed to other kinds of incidents you might run into or other failures you might have in your system.”
Jump also lauded Stryker for being quick to communicate what happened and keep stakeholders in the loop about the extent of the attack. She noted that reports of the attack surfaced very quickly on the social media platform Reddit, and employees raised questions about what was happening because they couldn't communicate through their work devices.
"It's important they get this public push out that it happened, and then there has been regular communication throughout the day as they started to get more information, which is really critical," said Jump. "Once they finish all of their investigation, they may find that there are things that they could have done differently.
“It's notable that this is a Microsoft attack on their enterprise, so it's not like they went after their medical devices,” she added. “A lot of times, these kinds of events happen from a phishing attack...from clicking on malicious links or having an insider that is able to launch some type of attack. We won't know [how it happened] until they release that [information].”
Jump also said it’s important for medical device companies like Stryker to keep FDA abreast of developments. She noted that the agency has expectations for communicating directly with regulators after such a cybersecurity attack.
“The FDA has historically played kind of a central pivot point in navigating to other agencies like the FBI, [Cybersecurity and Infrastructure Security Agency (CISA)], and other types of groups that can help manage incidents of this size,” said Jump. “Usually, the FDA is engaged fairly quickly in a communication stream so that they can be read in and help support that, and then obviously any affected external entities, and that's not only what they know and what's affected, but also what they know that's not affected.
“One of the things that we saw with Stryker, they were fairly quick to confirm that their [medical] devices did not appear to be affected,” she added. “That kind of communication to the industry as well as to internal agencies becomes really important.”
Jump said the attack may also lead FDA to put more focus on asking companies for evidence that they are following statutory requirements to ensure their devices are secure. Even though the attack didn’t affect medical devices, she said it may be too close to comfort for the agency.
“They haven't had as high of a focus and wanting to look at incident response programs because we haven't seen a huge incident such as this happen,” said Jump. “I would suspect that the FDA might be taking a little closer look at incident response programs, asking for a little bit more depth in how well companies are prepared for this.”
When considering which government entities to communicate with, Jump also noted that she’s been advised by the Federal Bureau of Investigation (FBI) that manufacturers should maintain a relationship with their local FBI office so they can respond quickly in the event of a cyberattack.
Jump also said the latest attack could have a lasting impact on how companies and governments address cybersecurity threats, similar to the way they responded after the 2016 WannaCry ransomware attacks, which were attributed to North Korea. She said that people in the cybersecurity industry are very wary of nation-state-targeted attacks like WannaCry and that this recent attack will likely go down in history as another pivotal moment in how cybersecurity is addressed.
“I think it's going to have ripple effects on medical device manufacturing leaders, and I think it's going to have ripple effects on supporting groups like government agencies as well as insurance companies,” said Jump. “They contained it quickly, but we don't know what the downstream effect is going to be.
"This being a targeted nation-state attack feels different, and I think it's going to influence change about what could actually happen to companies in our industry," she added.
×
Welcome to the new RAPS Digital Experience
We have completed our migration to a new platform and are pleased to introduce the updated site.
What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.
We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.
We welcome your feedback. Please let us know how we can continue to improve your experience.